This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-quarkus.git
The following commit(s) were added to refs/heads/main by this push:
new 7c0f6f7133 Added VEX file from SBOM
7c0f6f7133 is described below
commit 7c0f6f71333c7f2a9ec23e474bc581e3b2fbbb59
Author: Andrea Cosentino <[email protected]>
AuthorDate: Wed Jul 10 12:18:58 2024 +0200
Added VEX file from SBOM
Signed-off-by: Andrea Cosentino <[email protected]>
---
camel-quarkus-sbom/camel-quarkus-sbom.vex.json | 1252 ++++++++++++++++++++++++
1 file changed, 1252 insertions(+)
diff --git a/camel-quarkus-sbom/camel-quarkus-sbom.vex.json
b/camel-quarkus-sbom/camel-quarkus-sbom.vex.json
new file mode 100644
index 0000000000..e987c58952
--- /dev/null
+++ b/camel-quarkus-sbom/camel-quarkus-sbom.vex.json
@@ -0,0 +1,1252 @@
+{
+ "bomFormat" : "CycloneDX",
+ "specVersion" : "1.5",
+ "serialNumber" : "urn:uuid:d5459413-b97b-468a-99fe-914994f989ec",
+ "version" : 1,
+ "metadata" : {
+ "timestamp" : "2024-07-10T10:18:08Z",
+ "tools" : [
+ {
+ "vendor" : "OWASP",
+ "name" : "Dependency-Track",
+ "version" : "4.10.1"
+ }
+ ],
+ "component" : {
+ "name" : "Camel-Quarkus",
+ "version" : "3.0.0",
+ "externalReferences" : [
+ {
+ "type" : "website",
+ "url" : "http://camel.apache.org";
+ },
+ {
+ "type" : "distribution-intake",
+ "url" :
"https://repository.apache.org/service/local/staging/deploy/maven2";
+ },
+ {
+ "type" : "issue-tracker",
+ "url" : "https://github.com/apache/camel-quarkus/issues";
+ },
+ {
+ "type" : "mailing-list",
+ "url" : "[email protected]"
+ },
+ {
+ "type" : "vcs",
+ "url" : "https://github.com/apache/camel-quarkus";
+ }
+ ],
+ "type" : "library",
+ "bom-ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ },
+ "vulnerabilities" : [
+ {
+ "bom-ref" : "533bb1ce-7b5a-4881-a3b0-309aead23e1f",
+ "id" : "SNYK-JAVA-ORGMOZILLA-1314295",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.2,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" :
"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:R"
+ }
+ ],
+ "description" : "## Overview
[org.mozilla:rhino](https://github.com/mozilla/rhino) is a Rhino is an
open-source implementation of JavaScript written entirely in Java. It is
typically embedded into Java applications to provide scripting to end users.
Affected versions of this package are vulnerable to XML External Entity (XXE)
Injection. The function `toXml` allows usage of external entities when parsing
an XML document. ## Details XXE Injection is a type of attack against an applic
[...]
+ "recommendation" : "Upgrade the package version to 1.7.12 to fix this
vulnerability",
+ "created" : "2021-06-24T10:42:20Z",
+ "published" : "2021-06-24T14:49:34Z",
+ "updated" : "2024-03-06T14:00:46Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "05b4242e-e1bd-424c-8ede-2568da828d30",
+ "id" : "SNYK-JAVA-IOAIRLIFT-7164637",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.2,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Out-of-bounds Read via the decompression process due to improper
input length validation in the functions
`SnappyRawDecompressor.readUncompressedLengt`,
`SnappyRawDecompressor.uncompressAll`, `ZstdFrameDecompressor.decompress`,
`Lz4RawDecompressor.decompress` and `LzoRawDecompressor.decompress`. By
exploiting this vulnerability, an attacker can crash the JVM or leak sensitive
information by decompressi [...]
+ "recommendation" : "Upgrade the package version to 0.27 to fix this
vulnerability",
+ "created" : "2024-05-30T06:38:51Z",
+ "published" : "2024-05-30T10:47:25Z",
+ "updated" : "2024-06-06T12:41:41Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9574845e-fc07-48e8-96ab-0bdd678c7ec1",
+ "id" : "SNYK-JAVA-AIDJL-7267990",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.6,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) that
allows an attacker to overwrite arbitrary system files by providing a relative
pathname to archive files. ## Details It is exploited using a specially crafted
zip archive, that holds path traversal filenames. When exploited, a filename in
a malicious archive is concatenated to the target extraction directory, which
results in the final path en [...]
+ "recommendation" : "Upgrade the package version to 0.28.0 to fix this
vulnerability",
+ "created" : "2024-06-18T11:17:25Z",
+ "published" : "2024-06-18T11:52:04Z",
+ "updated" : "2024-06-18T11:52:04Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Information Exposure. A Kotlin application using `createTempDir`
or `createTempFile` and placing sensitive information within either of these
locations would be leaking this information in a read-only way to other users
also on this system. **Note:** As of ver [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-02-04T09:36:58Z",
+ "published" : "2022-02-04T14:31:42Z",
+ "updated" : "2024-03-11T09:50:55Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "91b3a0f9-6e58-45f1-8484-505b87133fcf",
+ "id" : "SNYK-JAVA-COMMICROSOFTAZURE-7246766",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Concurrent Execution using Shared Resource with Improper
Synchronization ('Race Condition') in the authentication process. An attacker
can elevate privileges by exploiting race conditions during the token
validation steps. This is only exploitable if the application is configured to
use multiple threads or processes for handling authentication requests.
**Notes:** 1) An attacker who successfully exploi [...]
+ "recommendation" : "Upgrade the package version to 1.15.1 to fix this
vulnerability",
+ "created" : "2024-06-12T07:31:41Z",
+ "published" : "2024-06-12T08:05:15Z",
+ "updated" : "2024-06-12T08:05:15Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "e480ea97-1e64-4cb8-ba51-4604f8dd0395",
+ "id" : "SNYK-JAVA-COMAZURE-7246765",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Concurrent Execution using Shared Resource with Improper
Synchronization ('Race Condition') in the authentication process. An attacker
can elevate privileges by exploiting race conditions during the token
validation steps. This is only exploitable if the application is configured to
use multiple threads or processes for handling authentication requests.
**Notes:** 1) An attacker who successfully exploi [...]
+ "recommendation" : "Upgrade the package version to 1.12.2 to fix this
vulnerability",
+ "created" : "2024-06-12T07:31:40Z",
+ "published" : "2024-06-12T08:05:15Z",
+ "updated" : "2024-06-12T08:05:15Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "e0eedddb-beeb-4aca-b275-582f9fa1dc32",
+ "id" : "SNYK-JAVA-IOQUARKUS-6564967",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.0,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Information Exposure Through Environmental Variables due to the
capture of local environment variables from the Quarkus namespace during the
application's build process. Running the resulting application inherits the
values captured at build time, which may include environment variables or
`.env` facility configurations set for testing purposes. This can lead to
unintended behaviour, such as dropping t [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-05T07:49:32Z",
+ "published" : "2024-04-05T09:03:21Z",
+ "updated" : "2024-04-05T09:03:21Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "ab440431-c676-41f6-9f82-4af27a9e7222",
+ "id" : "SNYK-JAVA-IOQUARKUSRESTEASYREACTIVE-3248762",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 3.3,
+ "severity" : "low",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "cwes" : [
+ 378
+ ],
+ "description" : "## Overview
[io.quarkus.resteasy.reactive:resteasy-reactive-common](https://search.maven.org/artifact/io.quarkus.resteasy.reactive/resteasy-reactive-common/3.0.0.Alpha3/jar)
is a RESTEasy Reactive - Common Runtime Affected versions of this package are
vulnerable to Creation of Temporary File With Insecure Permissions via the
usage of `File.createTempFile()` class in the `FileBodyHandler` serializer that
causes temp files to be created with `-rw-r--r--` permissions. [...]
+ "created" : "2023-01-26T15:18:36Z",
+ "updated" : "2023-03-09T13:39:32Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "1dc5c8ad-179b-4875-b3a0-928b5f88f574",
+ "id" : "SNYK-JAVA-SOFTWAREAMAZONION-6153869",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling via the
deserialization of Ion text encoded data or the `IonValue` model processing. An
attacker can cause a `StackOverflowError` by crafting malicious Ion data that
triggers excessive resource consumption when loaded or processed. This is only
exploitable if the application deserializes Ion data from an untrusted source
or data that could have been [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-01-12T09:57:16Z",
+ "published" : "2024-01-12T09:57:16Z",
+ "updated" : "2024-03-11T09:49:04Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Information Exposure due to missing validation
for the X.500 name of any certificate, subject, or issuer. The presence of a
wild card may lead to information disclosure. This could allow a malicious user
to obtain unauthorized information via blind [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-07-11T15:15:48Z",
+ "published" : "2023-06-30T08:15:58Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Uncontrolled Resource Consumption ('Resource
Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a
file that has crafted `ASN.1` data through the `PEMParser` causes an
`OutOfMemoryError`. ## Workaround The attack can be avoid [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-11-24T08:10:03Z",
+ "published" : "2023-11-24T08:21:18Z",
+ "updated" : "2024-06-19T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5
and OAEP decryption process. An attacker can recover ciphertexts via a
side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5
attack vector leaks data via `javax.crypto.Cipher` exc [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "baf76fde-dcec-43ed-bb1c-d7cec3a78a00",
+ "id" : "SNYK-JAVA-COMHAZELCAST-5781353",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.8,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview
[com.hazelcast:hazelcast](https://github.com/hazelcast/hazelcast) is a
clustering and highly scalable data distribution platform. Affected versions of
this package are vulnerable to Incorrect Permission Assignment for Critical
Resource in executor services, which don't check client permissions properly,
allowing authenticated users to execute tasks on members without the required
permissions. **NOTE:** Only users using executor services for distributed [...]
+ "recommendation" : "Upgrade the package version to 5.0.5,5.1.7,5.2.4 to
fix this vulnerability",
+ "created" : "2023-07-19T08:02:03Z",
+ "published" : "2023-07-19T08:22:25Z",
+ "updated" : "2024-03-11T09:53:27Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "943cb13e-8465-4cbb-b1f9-7fb90cce6310",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6026508",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 3.7,
+ "severity" : "low",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Buffer Overflow in
`LoadVectorMaskedNode::Ideal()` in the hotspot compiler, when running unstr
[...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-10-22T14:56:27Z",
+ "published" : "2023-10-22T14:56:41Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "63a18c7e-0dc2-46f6-b2e5-4c7856192736",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6026490",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Denial of Service (DoS) in
`security-libs/javax.net.ssl`, when running untrusted code. ## Reme [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-10-22T14:35:46Z",
+ "published" : "2023-10-22T14:35:46Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "e16d6fae-6903-47d3-add5-97d1d9e2a7fc",
+ "id" : "SNYK-JAVA-XALAN-2953385",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ }
+ ],
+ "description" : "## Overview
[xalan:xalan](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xalan%22) is a
XSLT processor for transforming XML documents into HTML, text, or other XML
document types. It implements XSL Transformations (XSLT) Version 1.0 and XML
Path Language (XPath) Version 1.0 and can be used from the command line, in an
applet or a servlet, or as a module in other program. Affected versions of this
package are vulnerable to Arbitrary Code Execution when processing [...]
+ "recommendation" : "Upgrade the package version to 2.7.3 to fix this
vulnerability",
+ "created" : "2022-07-20T10:09:21Z",
+ "published" : "2022-07-20T11:39:26Z",
+ "updated" : "2024-03-11T09:49:52Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "2bf053f1-5d6d-4a04-9756-4ab5599451e1",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-2841508",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 4.8,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Cryptographic Issues via weak key-hash message
authentication code (HMAC) that is only 16 bits long which can result in hash
collisions, as a result of an error within the BKS version 1 keystore (BKS-V1)
files and could lead to an attacker being abl [...]
+ "recommendation" : "Upgrade the package version to 1.69 to fix this
vulnerability",
+ "created" : "2022-05-23T09:25:43Z",
+ "published" : "2022-05-26T11:36:47Z",
+ "updated" : "2024-03-06T13:56:37Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Information Exposure due to missing validation
for the X.500 name of any certificate, subject, or issuer. The presence of a
wild card may lead to information disclosure. This could allow a malicious user
to obtain unauthorized information via blind [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-07-11T15:15:48Z",
+ "published" : "2023-06-30T08:15:58Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Uncontrolled Resource Consumption ('Resource
Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a
file that has crafted `ASN.1` data through the `PEMParser` causes an
`OutOfMemoryError`. ## Workaround The attack can be avoid [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-11-24T08:10:03Z",
+ "published" : "2023-11-24T08:21:18Z",
+ "updated" : "2024-06-19T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5
and OAEP decryption process. An attacker can recover ciphertexts via a
side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5
attack vector leaks data via `javax.crypto.Cipher` exc [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "fab9a60e-1dce-4c53-9011-676898520e62",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-1052448",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Comparison Using Wrong Factors. The
`OpenBSDBCrypt.checkPassword` utility method compared incorrect data when
checking the password, allowing incorrect passwords to indicate they were
matching with previously hashed ones that were different. ## Reme [...]
+ "recommendation" : "Upgrade the package version to 1.67 to fix this
vulnerability",
+ "created" : "2020-12-18T11:32:45Z",
+ "published" : "2020-12-18T16:33:09Z",
+ "updated" : "2024-03-11T09:53:49Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "acf24eef-aca7-49bf-87e7-b1d93e813eea",
+ "id" : "SNYK-JAVA-IOSMALLRYE-2993220",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 6.1,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Cross-site Scripting (XSS) due to an improper sanitization of
user inputs. ## Details A cross-site scripting attack occurs when the attacker
tricks a legitimate web-based application or site to accept a request as
originating from a trusted source. This is done by escaping the context of the
web application; the web application then delivers that data to its users along
with other trusted dynamic conte [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-08-26T08:28:37Z",
+ "published" : "2022-08-26T08:28:37Z",
+ "updated" : "2024-03-11T09:49:54Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "89bc87ff-9b5a-4c8e-be74-50df618564bb",
+ "id" : "SNYK-JAVA-COMH2DATABASE-31685",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.8,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview
[com.h2database:h2](http://www.h2database.com/html/main.html) is a database
engine Affected versions of this package are vulnerable to Remote Code
Execution (RCE). It provides a web console for managing the database, and by
default it does not have a password set. The `CREATE ALIAS` function calls Java
code, allowing an attacker to execute arbitrary Java code on projects running
the h2 database. NOTE: To be remotely exploitable, the affected application
[...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2018-06-06T09:42:14Z",
+ "published" : "2018-06-06T15:07:50Z",
+ "updated" : "2024-03-11T09:47:19Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "761fac87-46ca-4801-90cb-2a7f5a8d1491",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277382",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15to18](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15to18)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5
and OAEP decryption process. An attacker can recover ciphertexts via a
side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5
attack vector leaks data via `javax.crypto.Cipher` [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "4ead0905-39e8-4b79-986c-a827289dadd4",
+ "id" : "SNYK-JAVA-ORGJSON-5962464",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling. An attacker
can cause indefinite amounts of memory to be used by inputting a string of
modest size. This can lead to a Denial of Service. ## PoC ```java package
orgjsonbug; import org.json.JSONObject; /** * Illustrates a bug in JSON-Java.
*/ public class Bug { private static String makeNested(int depth) { if (depth
== 0) { return \"{\\\"a\\\":1}\"; [...]
+ "recommendation" : "Upgrade the package version to 20231013 to fix this
vulnerability",
+ "created" : "2023-10-13T06:42:49Z",
+ "published" : "2023-10-13T06:42:49Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d4df2818-7fef-4ccd-bea2-6ca4f37d4888",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-1296075",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Timing Attack. A timing issue within the EC math
library can expose information about the private key when an attacker is able
to observe timing information for the generation of multiple deterministic
ECDSA signatures. ## Remediation Upgrade `org.b [...]
+ "recommendation" : "Upgrade the package version to 1.66 to fix this
vulnerability",
+ "created" : "2021-05-20T17:21:17Z",
+ "published" : "2021-05-20T17:22:54Z",
+ "updated" : "2024-03-11T09:53:53Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "0210b57b-6269-404c-b131-0678b28b77b8",
+ "id" : "SNYK-JAVA-COMGITHUBJNR-1570422",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Use After Free due to CVE-2014-4043. ## Remediation Upgrade
`com.github.jnr:jnr-posix` to version 3.1.8 or higher. ## References -
[CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043) - [GitHub
PR](https://github.com/jnr/jnr-posix/pull/171) - [RedHat Bugzilla
Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1983750)",
+ "recommendation" : "Upgrade the package version to 3.1.8 to fix this
vulnerability",
+ "created" : "2021-08-27T16:00:23Z",
+ "published" : "2021-09-06T15:30:41Z",
+ "updated" : "2024-03-06T14:01:33Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "0210b57b-6269-404c-b131-0678b28b77b8",
+ "id" : "SNYK-JAVA-COMGITHUBJNR-1570422",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Use After Free due to CVE-2014-4043. ## Remediation Upgrade
`com.github.jnr:jnr-posix` to version 3.1.8 or higher. ## References -
[CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043) - [GitHub
PR](https://github.com/jnr/jnr-posix/pull/171) - [RedHat Bugzilla
Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1983750)",
+ "recommendation" : "Upgrade the package version to 3.1.8 to fix this
vulnerability",
+ "created" : "2021-08-27T16:00:23Z",
+ "published" : "2021-09-06T15:30:41Z",
+ "updated" : "2024-03-06T14:01:33Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d4f986ad-1313-4d8a-b5e7-8da611c50b1d",
+ "id" : "SNYK-JAVA-COMHAZELCAST-6282853",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.6,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"
+ }
+ ],
+ "description" : "## Overview
[com.hazelcast:hazelcast](https://github.com/hazelcast/hazelcast) is a
clustering and highly scalable data distribution platform. Affected versions of
this package are vulnerable to Improper Authorization due to missing permission
checks on the Hazelcast client protocol. Authenticated users can access data
stored in the cluster by exploiting this oversight. ## Remediation Upgrade
`com.hazelcast:hazelcast` to version 5.2.5, 5.3.5 or higher. ## References [...]
+ "recommendation" : "Upgrade the package version to 5.2.5,5.3.5 to fix
this vulnerability",
+ "created" : "2024-02-28T08:11:04Z",
+ "published" : "2024-02-28T08:34:14Z",
+ "updated" : "2024-03-06T14:09:37Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "5d788c44-92b4-42c7-8793-4d41a6d13623",
+ "id" : "SNYK-JAVA-COMHAZELCAST-6249443",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 6.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[com.hazelcast:hazelcast](https://github.com/hazelcast/hazelcast) is a
clustering and highly scalable data distribution platform. Affected versions of
this package are vulnerable to Improper Access Control due to inadequate
permission checking, within the SQL mapping for the `CSV File Source`
connector. This could enable unauthorized clients to access data from files
stored on a member's filesystem. ## Workaround This vulnerability can be
avoided by dis [...]
+ "recommendation" : "Upgrade the package version to 5.2.5,5.3.5 to fix
this vulnerability",
+ "created" : "2024-02-16T12:15:33Z",
+ "published" : "2024-02-16T12:27:52Z",
+ "updated" : "2024-05-15T07:26:44Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "ff93ea9b-79d6-4169-b8c5-90834218a1d8",
+ "id" : "SNYK-JAVA-COMHAZELCAST-5591146",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 4.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[com.hazelcast:hazelcast](https://github.com/hazelcast/hazelcast) is a
clustering and highly scalable data distribution platform. Affected versions of
this package are vulnerable to Insufficiently Protected Credentials via the
`ConfigXmlGenerator` component due to improper password masking in the member
configurations. Exploiting this vulnerability allows Hazelcast Management
Center users to view members' secrets. ## Remediation Upgrade `com.hazelcast:h
[...]
+ "recommendation" : "Upgrade the package version to 5.1.6,5.3.0 to fix
this vulnerability",
+ "created" : "2023-05-22T07:58:25Z",
+ "published" : "2023-05-22T10:08:18Z",
+ "updated" : "2024-03-11T09:53:16Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "3d1bdac3-3e2d-41c3-8f85-ca090bb93e4f",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771489",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15to18](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15to18)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Information Exposure due to missing validation
for the X.500 name of any certificate, subject, or issuer. The presence of a
wild card may lead to information disclosure. This could allow a malicious user
to obtain unauthorized information via bl [...]
+ "recommendation" : "Upgrade the package version to 1.74 to fix this
vulnerability",
+ "created" : "2023-07-11T15:30:00Z",
+ "published" : "2023-06-30T08:15:58Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "ba9b5b48-9e9d-4b46-b885-92767e95af9a",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6475534",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-configuration2](https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2/2.0)
is a group of tools to assist in the reading of configuration/preferences
files in various formats. Affected versions of this package are vulnerable to
Out-of-Bounds Write due to the improper handling of certain configurations in
the `AbstractListDelimiterHandler.flattenIterator` method. An attacker can
trigger a stack overflow b [...]
+ "recommendation" : "Upgrade the package version to 2.10.1 to fix this
vulnerability",
+ "created" : "2024-03-21T15:04:18Z",
+ "published" : "2024-03-21T15:09:43Z",
+ "updated" : "2024-04-23T11:01:46Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9b98e428-165c-4c49-84b3-0842e1c04dd8",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6475528",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-configuration2](https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2/2.0)
is a group of tools to assist in the reading of configuration/preferences
files in various formats. Affected versions of this package are vulnerable to
Out-of-Bounds Write due to the improper handling of a cyclical object tree when
calling the `ListDelimiterHandler.flatten` method. An attacker can trigger a
StackOverflowError and [...]
+ "recommendation" : "Upgrade the package version to 2.10.1 to fix this
vulnerability",
+ "created" : "2024-03-21T15:01:49Z",
+ "published" : "2024-03-21T15:07:58Z",
+ "updated" : "2024-04-23T11:01:46Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "b9ddb5ce-ece9-42e4-b836-38b61c4f8386",
+ "id" : "SNYK-JAVA-ORGTHREETEN-6592149",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the
`org.threeten.bp.LocalDate::compareTo(ChronoLocalDate)` method. An attacker can
trigger a `NullPointerException` by supplying a null object as an argument to
the `other` parameter. ## Remediation There is no fixed version for
`org.threeten:threetenbp`. ## References - [GitHub
Gist](https://gist.github.com/LLM4IG/3cc9183dcd887020368a0bafeafec5e3) -
[Vulnerable Code](http [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-09T06:33:27Z",
+ "published" : "2024-04-09T06:50:04Z",
+ "updated" : "2024-04-09T07:07:18Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "554bc189-75fa-429f-a2d4-727c886c157e",
+ "id" : "SNYK-JAVA-ORGTHREETEN-6591891",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 6.2,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Integer Overflow or Wraparound in the
`org.threeten.bp.format.DateTimeFormatter::parse(CharSequence, ParsePosition)`
method, when the string is empty, the parameter index is 10, and the
`errorIndex` is 10. ## Remediation There is no fixed version for
`org.threeten:threetenbp`. ## References - [GitHub
Gist](https://gist.github.com/LLM4IG/d2618f5f4e5ac37eb75cff5617e58b90) -
[Vulnerable Code](https://gith [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-08T19:36:37Z",
+ "published" : "2024-04-09T06:16:54Z",
+ "updated" : "2024-04-09T06:16:54Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "1b2dbc11-6ff1-4d62-8e76-42dc2ce6a74b",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6612985",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15to18](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15to18)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Infinite loop in ED25519 verification in the
`ScalarUtil` class. An attacker can send a malicious signature and public key
to trigger denial of service. ## Remediation Upgrade
`org.bouncycastle:bcprov-jdk15to18` to version 1.78 or higher. ## Ref [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T09:52:23Z",
+ "published" : "2024-04-14T13:27:01Z",
+ "updated" : "2024-04-14T13:27:01Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Allocation of Resources Without Limits or
Throttling in the `solveQuadraticEquation()` function used for certificate
verification in `ECCurve.java`. Passing a large f2m parameter can cause
excessive CPU consumption. ## Remediation There is no fixed [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Allocation of Resources Without Limits or
Throttling in the `solveQuadraticEquation()` function used for certificate
verification in `ECCurve.java`. Passing a large f2m parameter can cause
excessive CPU consumption. ## Remediation There is no fixed [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f829d88c-eedb-4694-b428-52b473cc731b",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613078",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15to18](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15to18)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Allocation of Resources Without Limits or
Throttling in the `solveQuadraticEquation()` function used for certificate
verification in `ECCurve.java`. Passing a large f2m parameter can cause
excessive CPU consumption. ## Remediation Upgrade `org.b [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "0095c734-2ac9-455a-9a47-ffd1e82658e4",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613077",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15to18](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15to18)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Observable Discrepancy due to the timing
difference between exceptions thrown when processing RSA key exchange
handshakes, AKA Marvin. **Note:** The implemented fix mitigates the leakage of
data via the PKCS#1 interface, but does not fully allev [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T14:45:29Z",
+ "published" : "2024-04-14T14:45:29Z",
+ "updated" : "2024-05-29T14:05:06Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d8dd9c4f-d279-4c67-996c-10c28a29895f",
+ "id" : "SNYK-JAVA-IONETTY-1042268",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.4,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ }
+ ],
+ "cwes" : [
+ 295
+ ],
+ "description" : "## Overview
[io.netty:netty-handler](https://github.com/netty/netty.git/netty-handler) is a
library that provides an asynchronous event-driven network application
framework and tools for rapid development of maintainable high performance and
high scalability protocol servers and clients. In other words, Netty is a NIO
client server framework which enables quick and easy development of network
applications such as protocol servers and clients. It greatly simplifies [...]
+ "created" : "2020-11-20T15:44:58Z",
+ "updated" : "2023-10-11T01:10:45Z",
+ "affects" : [
+ {
+ "ref" : "2c0e2d03-bde8-45fc-9fa0-bcc8c01a4959"
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
